This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user’s password is collected (in cleartext) and sent to his server.

This sucks and I feel sorry for anyone who has fallen victim to this. That said, it’s a pretty good reminder for people to run regular audits on all their installed plugins. Note, the plugin has now been removed from the plugin directory.